Prerequisites

HDD large enough to hold an entire DD image of the Malware Client system disk, plus Linux, plus some left over for data capture and analysis. Perhaps 300GB.

2x1Gb/s NICs

PC #2 is the Malware Client

Windows XP SP2 (do not install patches)

1GB RAM

100GB HDD

IMPORTANT: Create the Windows partition as small as possible. There's an awful lot of hard drive imaging and reimaging going on here, so you'll save a heck of a lot of time by making this no larger than necessary. I've had good experience with 8GB.

1x1Gb/s NIC

On each system, do a base OS install. The Truman Server should be up-to-date with all patches. There should be no patches applied to the Malware Client, though!

Ideally, these should be on two physical computers! Some malware contains code to detect the presence of a virtual machine and fails to run, or provides misleading results. Also, VMWare often seems to have trouble keeping up with all this hard drive imaging. At best, it's slow as a slug. At worst, it crashes the VMs. Seriously, it's best if you use two physical machines for this.

However, if you do use a VM, you should configure each system to have one NIC on a shared virtual network that is not connected to the physical network. I assign one interface on each host to /dev/vmnet9. The main NIC on the Truman Server should be configured as a bridging interface, as it will be connecting to the actual network.

Also, if you're using VMWare, you may find it convenient to create snapshots of each host just after successful OS installation but prior to configuring Truman, just in case you hose things and need to back out and try over.

A note about NICs

The Truman PXE environment is based on an old Linux 2.4 kernel, and really there's not a lot of network card support. Many common ones are included, like 3c509/3c59x, e1000, eepro and some others. I had trouble getting my 3c509 card to be recognized when Truman booted up into Linux on the Malware Client. Here's what I did to fix it:

On the Truman Server, unzip /tftpboot/truman.img.gz and mount the filesystem:

gunzip truman.img.gz

mount -o loop truman.img /mnt

Edit the /mnt/etc/init.d/rc.inet file to manually configure the network interface. At the top of the file, add: